目录
本文主要针对使用freeradius如何搭建集成AD域控的集成认证环境。支持PAP和MSCHAPV2认证方式。
一、必要环境安装
yum install samba.x86_64 -y
yum install krb5-server.x86_64 -y
yum install freeradius freeradius-utils samba-winbind krb5-server krb5-workstation -y
yum install samba-winbind-clients.x86_64 -y
二、配置HOST文件
由于本案例需要通过Linux加入AD域实现,因此需要提前将RADIUS主机名添加HOST解析
本例中我们假设企业域名为csdn.com
编辑/etc/hosts ,追加添加RADIUS认证服务器HOST解析
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.20.27 radius02.csdn.com radius02
- 1
- 2
- 3
三、配置SAMBA
1、编辑/etc/samba/smb.conf
[global]
workgroup = CSDN
security = ads
realm = CSDN.COM
#passdb backend = tdbsam
password server = csdn.com
encrypt passwords = yes
log file = /var/log/samba.log
printing = cups
printcap name = cups
load printers = yes
cups options = raw
winbind usedefaultdomain =yes
winbindenumusers =yes
winbindenumgroups =yes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
2、编辑/etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = CSDN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
CSDN.COM = {
kdc = al.csdn.com
admin_server = al.csdn.com
}
[domain_realm]
.csdn.com = CSDN.COM
csdn.com = CSDN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
3、编辑/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
CSDN.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
四、配置freeradius 和winbind
1、配置 /etc/nsswitch.conf
修改以下三项,在后面添加winbind认证方式
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
- 1
- 2
- 3
2、复制、创建相关服务
将/usr/lib/systemd/system 下的service copy 到 /etc/systemd/system/, smb.service, krb5kdc.service winbind.service
cp /usr/lib/systemd/system/smb.service /etc/systemd/system/
cp /usr/lib/systemd/system/krb5kdc.service /etc/systemd/system/
cp /usr/lib/systemd/system/winbind.service /etc/systemd/system/
- 1
- 2
- 3
3、测试Winbind认证是否正常
[root@radius01 ~]$ kinit Administrator@CSDN.COM
Password for Administrator@CSDN.COM: *******
- 1
- 2
输入正确的密码后,预期无任何回显,表示验证通过
提示:kinit: Password incorrect while getting initial credentials表示密码错误
五、Linux加域
1、将centos 加入我们的域CSDN.COM中
先输入以下命令
net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
- 1
再通过net ads join命令配置Linux加域
[root@radius01 ~]$ net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- CSDN
Joined 'RADIUS01' to dns domain 'CSDN.COM'
- 1
- 2
- 3
- 4
2、测试ntml身份认证
[root@radius01 ~]$ systemctl start winbind
[root@radius01 ~]$ ntlm_auth --request-nt-key --domain=CSDN.COM --username=adradius --password=*****
- 1
- 2
六、配置RADIUS
1、编辑 /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=CSDN.COM --sername=%{mschap:User-Name} --password=%{User-Password}"
}
- 1
- 2
- 3
- 4
2、编辑/etc/raddb/sites-available/default 和/etc/raddb/sites-enabled/inner-tunnel
在/etc/raddb/sites-available/default 和 /etc/raddb/sites-enabled/inner-tunnel两个文件中均添加以下字段
authorize 中加入 ntdomain
authenticate 中 加入 ntlm_auth
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
ntdomain
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
3、编辑/etc/raddb/mods-config/files/authorize
添加DEFAULT Auth-Type = ntlm_auth
4、修改 /etc/raddb/clients.conf
此文件哦诶之客户端认证的网段和密钥。
修改服务器端记录客户端的配置文件 /etc/raddb/clients.conf 文件,该文件默认值提供了本机测试的 local 配置,即:安装完后默认只允许本机的client客户端访问radius服务器
client "10inside" {
ipaddr = 10.0.0.0/8
##允许整个10段内网访问
proto = udp
secret = 'RadiusShareKey@'
#RADIUS共享秘钥
require_message_authenticator = no
nas_type = other
### login = !root ###
### password = someadminpass ###
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
七、启用MSCHAPv2支持
1、修改/etc/raddb/mods-enabled/mschap
authtype = MS-CHAP
#添加此配置
use_mppe = yes
#去掉注释,修改为yes
require_encryption = yes
#去掉注释
require_strong = yes
#去掉注释
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#添加此配置
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
执行以下命令
usermod -a -G wbpriv radiusd
chown root:wbpriv /var/lib/samba/winbindd_privileged
- 1
- 2
八、日志和测试
1、日志
日志目录如下
cat /var/log/radius/radius.log
2、RADIUS认证测试
[root@sz_radius_10 ~]# radtest -t mschap Administrator P@ssw0rd 10.0.20.27 0 RadiusShareKey@
Sent Access-Request Id 122 from 0.0.0.0:40917 to 10.0.20.27:1812 length 139
User-Name = "Administrator"
MS-CHAP-Password = "P@ssw0rd"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "P@ssw0rd"
MS-CHAP-Challenge = 0xc2253beb6b76a687
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000012167e9f6b290e53887ccdcc842beb9d29176e8583fee506
Received Access-Accept Id 122 from 10.0.20.27:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0x0000000000000000727b1f3c77773ae3200fa32a4353796e
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
可以看到使用MS-CHAP认证方式,并且认证结果为Received Access-Accept
评论记录:
回复评论: